命名空间的专用节点

在Kubernetes中,我们有多个环境,由不同的名称空间分隔。我想确保一组节点仅由特定的名称空间/环境使用。

  1. 特定标签的节点应拒绝所有不属于命名空间的Pod
  2. 来自特定名称空间的Pod应该始终选择配置了标签的节点。

实现它的方法是什么?听说过有关更改Webhook接纳控制器的知识,任何人都有一个示例,以了解其工作原理。

评论
  • 自大狂
    自大狂 回复

    It can be done via node-selector annotation in the namespace, see an example here

  • 怪叔叔
    怪叔叔 回复

    You can use mutating webhook to mutate an incoming pod request from a specific namespace to add node affinity or node selector in the pod spec.

    An example of nodeSelector admission controller here

    下面是添加节点关联的示例。

    func mutatePods(ar v1beta1.AdmissionReview, o *options) *v1beta1.AdmissionResponse {
        var reviewResponse = &v1beta1.AdmissionResponse{
            Allowed: true,
        }
    
        podResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
        if ar.Request.Resource != podResource {
            glog.Errorf("expect resource to be %s", podResource)
            return nil
        }
    
        raw := ar.Request.Object.Raw
        pod := v1.Pod{}
        // glog.V(2).Infof("Object: %v", string(raw))
        if err := json.Unmarshal(raw, &pod); err != nil {
            glog.Error(err)
            return nil
        }
    
        addPodAffinityPatch := fmt.Sprintf(`[
             {"op":"add","path":"/spec/affinity","value":{"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"preference":{"matchExpressions":[{"key":"%s","operator":"NotIn","values":["%s"]}]},"weight":1}]}}}
        ]`, o.PodAffinityKey, o.PodAffinityValue)
    
        glog.V(2).Infof("patching pod")
        reviewResponse.Patch = []byte(addPodAffinityPatch)
        pt := v1beta1.PatchTypeJSONPatch
        reviewResponse.PatchType = &pt
    
        return reviewResponse
    }